Washington, D.C.,
May 28, 2009—Tomorrow, President
Obama is slated to name a “cybersecurity
czar with a broad mandate[2]” and issue a report outlining potential
vulnerabilities in the government’s information security policies. The
“czar” would be charged with managing government technology policy on matters
ranging from cybersecurity to privacy—in effect, securing government networks
and seeking to keep government agencies on the cutting edge of communications
technology.

Such a role could be legitimate if
its scope were limited to “bringing
government into the 21st century[3].” But given the constant temptation
by politicians in both parties to meddle with technology policy, the position
of cybersecurity “czar” could easily morph into a central figure in the drive
to regulate private networks, rather than simply focus on government
modernization.

Cybersecurity Regulation Premature

Government regulation to address private sector cybersecurity practices is
premature. Politicians, when they do weigh in, are likely to seek massive sums[4] to
establish research grants for politically favored cybersecurity initiatives, set
up redundant cybersecurity agencies, programs, and subsidies, and steer
cybersecurity research in the academic world away from its natural course.

Past regulatory proposals affecting information security have included
mandates on data breach disclosure, virus protection, and vulnerability
reporting. As has happened with anti-spam laws, legislation aimed at
making information more secure tends to accomplish exactly the opposite. Hackers and crackers—the “bad guys” of
the information age—don’t obey the law in the first place, and many
cyber-attacks originate abroad beyond the reach of U.S. regulation.

Policy makers should be suspicious of proposals to collectivize and
centralize cybersecurity risk management, especially in frontier industries
like information technology. While government law enforcement agencies have a
necessary role to play in investigating and punishing intrusions on private
networks and infrastructure, government must coexist with, rather than crowd
out, private sector security technologies. These are the digital equivalents of
barbed wire and door locks, which private companies are constantly competing to
improve. When government asserts authority over security technologies, it
hinders the evolution of more robust information security practices and creates
barriers—both mundane and catastrophic—to non-political solutions. The result
is that we become less secure, not more secure.

Indeed, recent
reports suggest[5] that both the administration and Congress are seeking to
expand government authority over “critical” private networks such as power
grids and computer networks in the event of breaches. The term “cyber” means
everything and, therefore, nothing: the U.S. telecommunications backbone,
the power grid, and virtually anything networked to some other computer would
likely be fair game for a new czar to regulate. The unmistakable tenor of
the cybersecurity discussion today is toward greater federal control over
private infrastructure.

Washington’s Proper
Cybersecurity Role

Washington‘s role should be reserved to protecting the government’s own
networks and setting internal security standards, rather than regulating
private networks. Government should focus on arresting actual computer
criminals instead of crafting policies
that threaten data security, such as data retention legislation,
national identification schemes, proposals to re-regulate encryption, and
monolithic “czars” with broad reign to set policy across the board.

Neither industries nor broad
concepts like “cybersecurity” merit Washington
“czars.” Innovation in information security and privacy protection is not a
function of bureaucrats and regulators in D.C. Security is an industry unto
itself. A government tech czar would invariably grow into an
irresistible temptation for lobbyists and could all too easily become an agent
for establishing government authority over our most vulnerable frontier
technologies and sciences.

Enhancing Private Sector
Cybersecurity Practices

Both suppliers and customers in the
high-tech sector increasingly demand better security from all players. Improving private incentives for
information sharing is at least as important as greater government coordination
to ensure security and critical infrastructure protection. That job will entail
liberalizing critical infrastructure assets—like telecommunications and
electricity networks—and relaxing antitrust constraints so firms can coordinate
information security strategies and enhance reliability of critical
infrastructure through the kind of “partial mergers” that are anathema to
today’s antitrust enforcers.

Private cybersecurity initiatives will gradually move us toward thriving
liability and insurance markets. Heavy-handed cyber-czar gestures and
legislation cannot address the lack of authentication and inability to exclude
bad actors that is at the root of today’s cybersecurity problems.

Like everything else in the market,
security technologies—from biometric identifiers to firewalls to encrypted
databases—and cybersecurity services—from consulting to liability insurance to
network monitoring—benefit from competition. Important cybersecurity concerns surround information sharing, anonymity,
and questions of insurance and liability—all issues that corporate information
and security officers deal with every day. It’s not clear what government could
really fix—but it could break a lot.

Mistakes made in the market—like overly aggressive spam filters and
blacklists—are easier both to contain in their effects and to correct than is
bad legislation. Moreover, regulation can become so entrenched that genuine
liberalization, however warranted as conditions change, simply cannot occur. To
reduce the impact of any given attack, policy makers should seek to
“privatize,” rather than collectivize, responsibility for securing private
networks of all stripes.

The need to preserve a dynamic
market role can be summed up in a single Cybersecurity Commandment:

Do not take steps in the name
of cybersecurity that make it:
(1) impossible to liberalize or deregulate critical infrastructure
and networks or
(2) impossible or undesirable to “self-regulate” in emerging critical
networks and technologies.

Government should not assert
authority in ways that would make impossible future private sector security
solutions as technology advances and market conditions change. The future will deliver authentication
technologies far more capable than those of today. If government ignores
either aspect of the Cybersecurity Commandment, it will lead to subpar
information security and to economic inefficiencies—such as inadequate
infrastructure investment. Such intervention could also roll back important
advances that have been made in the privatization of infrastructure and
services over the past decades.

America seems no worse off without
a cybersecurity czar, and could be a lot worse off with one. The “broad mandate”
for the czar should be avoided. At the very least, hearings are in order—but it
would be best for the “czar” idea to simply fade away.

CEI is a non-profit, non-partisan public policy group
dedicated to the principles of free enterprise and limited government. For more information about CEI, please visit
our website at www.cei.org[10].